Disable FirewallD and Enable Iptables on CentOS 7

Download and Install the Iptables Service

To begin your server’s transition, you need to download and install the iptables-service package from the CentOS repositories. Download and install the service files by typing:

sudo yum install iptables-services

This will download and install the systemd scripts used to manage the iptables service. It will also write some default iptables and ip6tables configuration files to the /etc/sysconfig directory.

Construct your Iptables Firewall Rules

Next, you need to construct your iptables firewall rules by modifying the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files. These files hold the rules that will be read and applied when we start the iptables service.

How you construct your firewall rules depends on whether the system-config-firewall process is installed and being used to manage these files. Check the top of the /etc/sysconfig/iptables file to see whether it recommends against manual editing or not:

sudo head -2 /etc/sysconfig/iptables

If the output looks like this, feel free to manually edit the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files to implement the policies for your iptables firewall:

output
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall

Open and edit the files with sudo privileges to add your rules:

sudo nano /etc/sysconfig/iptables
sudo nano /etc/sysconfig/ip6tables

After you’ve made your rules, you can test your IPv4 and IPv6 rules using these commands:

sudo sh -c 'iptables-restore -t < /etc/sysconfig/iptables'
sudo sh -c 'ip6tables-restore -t < /etc/sysconfig/ip6tables'

If, on the other hand, the output from examining the /etc/sysconfig/iptables file looks like this, you should not manually edit the file:

output
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.

This means that the system-config-firewall management tool is installed and being used to manage this file. Any manual changes will be overwritten by the tool. If you see this, you should make changes to your firewall using one of the associated tools. For the text UI, type:

sudo system-config-firewall-tui

If you have the graphical UI installed, you can launch it by typing:

sudo system-config-firewall

Stop the FirewallD Service and Start the Iptables Service

Next, we need to stop the current firewalld firewall and bring up our iptables services. We will use the && construct to start the new firewall services as soon as the firewalld service successfully shuts down:

sudo systemctl stop firewalld && sudo systemctl start iptables; sudo systemctl start ip6tables

You can verify that firewalld is not running by typing:

sudo firewall-cmd --state

You can also see that the rules you set up in the /etc/sysconfig directory have been loaded and applied by typing:

sudo iptables -S
sudo ip6tables -S

At this point, the iptables and ip6tables services are active for the current session. However, currently, the firewalld service is still the one that will start automatically when the server reboots.

This is best time to test your firewall policies to make sure that you have the level of access that you need, because you can restart the server to revert to your old firewall if there are any issues.

Disable the FirewallD Service and Enable the Iptables Services

After testing your firewall rules to ensure that your policy is correctly being enforced, you can go ahead and disable the firewalld service by typing:

sudo systemctl disable firewalld

This will prevent the service from starting automatically at boot. Since the firewalld service should not be started manually while the iptables services are running either, you can take an extra step by masking the service. This will prevent the firewalld service from being started manually as well:

sudo systemctl mask firewalld

Now, you can enable your iptables and ip6tables services so that they will start automatically at boot:

sudo systemctl enable iptables
sudo systemctl enable ip6tables

This should complete your firewall transition.